CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2020 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2020-6774 668 2020-05-27 2020-05-29
7.2
None Local Low Not required Complete Complete Complete
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
302 CVE-2020-6651 20 Exec Code 2020-05-07 2020-05-12
6.0
None Remote Medium ??? Partial Partial Partial
Improper Input Validation in Eaton's Intelligent Power Manager (IPM) v 1.67 & prior on file name during configuration file import functionality allows attackers to perform command injection or code execution via specially crafted file names while uploading the configuration file in the application.
303 CVE-2020-6474 416 2020-05-21 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
304 CVE-2020-6471 276 2020-05-21 2021-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
305 CVE-2020-6469 276 2020-05-21 2020-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
306 CVE-2020-6468 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
307 CVE-2020-6467 416 2020-05-21 2021-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
308 CVE-2020-6466 416 2020-05-21 2020-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
309 CVE-2020-6465 416 2020-05-21 2020-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in reader mode in Google Chrome on Android prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
310 CVE-2020-6464 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in Blink in Google Chrome prior to 81.0.4044.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
311 CVE-2020-6463 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
312 CVE-2020-6462 416 2020-05-21 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
313 CVE-2020-6461 416 2020-05-21 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in storage in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
314 CVE-2020-6459 787 2020-05-21 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in payments in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
315 CVE-2020-6458 125 2020-05-21 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
316 CVE-2020-6457 416 2020-05-21 2020-07-02
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in speech recognizer in Google Chrome prior to 81.0.4044.113 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
317 CVE-2020-6262 74 Exec Code 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Service Data Download in SAP Application Server ABAP (ST-PI, before versions 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application and the whole ABAP system leading to Code Injection.
318 CVE-2020-6253 89 Exec Code Sql 2020-05-12 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
Under certain conditions, SAP Adaptive Server Enterprise (Web Services), versions 15.7, 16.0, allows an authenticated user to execute crafted database queries to elevate their privileges, modify database objects, or execute commands they are not otherwise authorized to execute, leading to SQL Injection.
319 CVE-2020-6252 200 +Info 2020-05-12 2021-07-21
5.2
None Local Network Low ??? Partial Partial Partial
Under certain conditions SAP Adaptive Server Enterprise (Cockpit), version 16.0, allows an attacker with access to local network, to get sensitive and confidential information, leading to Information Disclosure. It can be used to get user account credentials, tamper with system data and impact system availability.
320 CVE-2020-6251 200 +Info 2020-05-12 2021-07-21
5.0
None Remote Low Not required Partial None None
Under certain conditions or error scenarios SAP Business Objects Business Intelligence Platform, version 4.2, allows an attacker to access information which would otherwise be restricted.
321 CVE-2020-6250 200 +Info 2020-05-12 2021-07-21
6.7
None Local Network Low ??? Partial Partial Complete
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated attacker to exploit certain misconfigured endpoints exposed over the adjacent network, to read system administrator password leading to Information Disclosure. This could help the attacker to read/write any data and even stop the server like an administrator.
322 CVE-2020-6249 89 Sql 2020-05-12 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection.
323 CVE-2020-6248 20 Exec Code 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection.
324 CVE-2020-6247 20 2020-05-12 2021-07-21
5.0
None Remote Low Not required None None Partial
SAP Business Objects Business Intelligence Platform, version 4.2, allows an unauthenticated attacker to prevent legitimate users from accessing a service. Using a specially crafted request, the attacker can crash or flood the Central Management Server, thereby impacting system availability.
325 CVE-2020-6243 74 2020-05-12 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Under certain conditions, SAP Adaptive Server Enterprise (XP Server on Windows Platform), versions 15.7, 16.0, does not perform the necessary checks for an authenticated user while executing the extended stored procedure, allowing an attacker to read, modify, delete restricted data on connected servers, leading to Code Injection.
326 CVE-2020-6242 306 2020-05-12 2020-07-02
7.5
None Remote Low Not required Partial Partial Partial
SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate, leading to Missing Authentication Check.
327 CVE-2020-6241 89 Sql 2020-05-12 2020-05-14
6.5
None Remote Low ??? Partial Partial Partial
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated user to execute crafted database queries to elevate privileges of users in the system, leading to SQL Injection.
328 CVE-2020-6240 20 DoS 2020-05-12 2021-07-21
5.0
None Remote Low Not required None None Partial
SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an unauthenticated attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service leading to Denial of Service
329 CVE-2020-6094 787 Exec Code 2020-05-06 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the TIFF fillinraster function of the igcore19d.dll library of Accusoft ImageGear 19.4, 19.5 and 19.6. A specially crafted TIFF file can cause an out-of-bounds write, resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
330 CVE-2020-6092 190 Exec Code Overflow 2020-05-18 2022-05-12
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. In order to trigger this vulnerability, victim must open a malicious file.
331 CVE-2020-6091 287 Bypass 2020-05-22 2022-04-28
6.4
None Remote Low Not required Partial Partial None
An exploitable authentication bypass vulnerability exists in the ESPON Web Control functionality of Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303. A specially crafted series of HTTP requests can cause authentication bypass resulting in information disclosure. An attacker can send an HTTP request to trigger this vulnerability.
332 CVE-2020-6082 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the ico_read function of the igcore19d.dll library of Accusoft ImageGear 19.6.0. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
333 CVE-2020-6081 345 Exec Code 2020-05-07 2022-06-03
6.5
None Remote Low ??? Partial Partial Partial
An exploitable code execution vulnerability exists in the PLC_Task functionality of 3S-Smart Software Solutions GmbH CODESYS Runtime 3.5.14.30. A specially crafted network request can cause remote code execution. An attacker can send a malicious packet to trigger this vulnerability.
334 CVE-2020-6076 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the igcore19d.dll ICO icoread parser of the Accusoft ImageGear 19.5.0 library. A specially crafted ICO file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
335 CVE-2020-6075 787 Exec Code 2020-05-06 2022-04-19
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable out-of-bounds write vulnerability exists in the store_data_buffer function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted PNG file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
336 CVE-2020-6074 416 Exec Code 2020-05-18 2022-06-03
6.8
None Remote Medium Not required Partial Partial Partial
An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
337 CVE-2020-5897 416 2020-05-12 2020-05-14
6.8
None Remote Medium Not required Partial Partial Partial
In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX component.
338 CVE-2020-5894 384 2020-05-07 2020-05-12
5.8
None Remote Medium Not required Partial Partial None
On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out.
339 CVE-2020-5834 22 Dir. Trav. 2020-05-11 2020-05-14
5.0
None Remote Low Not required Partial None None
Symantec Endpoint Protection Manager, prior to 14.3, may be susceptible to a directory traversal attack that could allow a remote actor to determine the size of files in the directory.
340 CVE-2020-5753 670 2020-05-20 2022-04-07
5.0
None Remote Low Not required Partial None None
Signal Private Messenger Android v4.59.0 and up and iOS v3.8.1.5 and up allows a remote non-contact to ring a victim's Signal phone and disclose currently used DNS server due to ICE Candidate handling before call is answered or declined.
341 CVE-2020-5752 22 Exec Code Dir. Trav. 2020-05-21 2020-12-08
7.2
None Local Low Not required Complete Complete Complete
Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.
342 CVE-2020-5741 502 Exec Code 2020-05-08 2021-12-14
6.5
None Remote Low ??? Partial Partial Partial
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
343 CVE-2020-5579 89 Exec Code Sql 2020-05-20 2020-05-20
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
344 CVE-2020-5577 434 2020-05-14 2020-05-15
6.5
None Remote Low ??? Partial Partial Partial
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors.
345 CVE-2020-5576 352 CSRF 2020-05-14 2020-05-15
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
346 CVE-2020-5574 74 2020-05-14 2020-05-15
5.0
None Remote Low Not required None Partial None
HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors.
347 CVE-2020-5538 269 Exec Code 2020-05-11 2021-07-21
7.2
None Local Low Not required Complete Complete Complete
Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows authenticated attackers to execute arbitrary code with the SYSTEM privilege on the computer where PALLET CONTROL is installed via unspecified vectors. PalletControl 7 to 9.1 are not affected by this vulnerability, however under the environment where PLS Management Add-on Module is used, all versions are affected.
348 CVE-2020-5537 20 Exec Code 2020-05-25 2020-05-27
7.5
None Remote Low Not required Partial Partial Partial
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
349 CVE-2020-5409 601 2020-05-14 2020-05-15
5.8
None Remote Medium Not required Partial Partial None
Pivotal Concourse, most versions prior to 6.0.0, allows redirects to untrusted websites in its login flow. A remote unauthenticated attacker could convince a user to click on a link using the OAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. (This issue is similar to, but distinct from, CVE-2018-15798.)
350 CVE-2020-5407 347 2020-05-13 2021-06-14
6.5
None Remote Low ??? Partial Partial Partial
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.
Total number of vulnerabilities : 592   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.